Solved: How to restrict api call based on domain name? - Page 2

Report Inappropriate Content · 06-16-2015 12:23 AM

Hi All,

Is there anyway in ApiGee to allow API call access only from specific domain? For example, I want ApiGee call to be triggered to Targeted API only if the request is made from www.example.com (or) Host ip address of www.example.com. Is it possible?

ozanseymen

I'd read the "Host" header value and put a RaiseFault policy if value is invalid. Host header value is automatically put into a variable called request.header.Host for you so doing this should be fine:

<Step>

  <Condition>request.header.Host != "google.com"</Condition>

  <Name>RaiseFault.RequestFromInvalidDomain</Name>

</Step>

View solution in original post

ozanseymen

You can filter the origin domain in a JS call using CORS origin header.

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. This happens in preflight (OPTIONS) call before the real API call happens.

You should be able to configure Apigee to send correct Origin header back (www.example.com) so that no other domains can do a JS call from any other domain.

http://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work

But your API is still open for anyone else using an api client (like curl) without using JS. So while you are preventing access from other JS clients, your API is still wide open for any other client type.

Perhaps a proper security measure (OAuth perhaps?) is better suited for this?

View solution in original post